Update Deploy

Author: yunomix2834

.github/workflows/deploy.yml

@@ -0,0 +1,179 @@
+name: CD Deploy to Server (SSH)
+
+on:
+  # Chỉ chạy sau khi các workflow build đã hoàn tất
+  workflow_run:
+    workflows:
+      - Build & Push Docker Images
+      - Build & Push coding-service
+      - Build & Push file-service
+    types: [ completed ]
+  # Cho phép chạy tay nếu cần
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: deploy-${{ github.event_name }}-${{ github.event.workflow_run.id || github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  deploy:
+    # Chỉ chạy khi workflow build kết thúc SUCCESS và nguồn là main hoặc tag v*.*.*
+    if: >
+      (github.event_name == 'workflow_dispatch') ||
+      (
+        github.event_name == 'workflow_run' &&
+        github.event.workflow_run.conclusion == 'success' &&
+        (
+          github.event.workflow_run.head_branch == 'main' ||
+          startsWith(github.event.workflow_run.head_branch, 'v')
+        )
+      )
+    runs-on: ubuntu-latest
+    environment: production
+
+    steps:
+      - name: Show trigger context (debug)
+        run: |
+          echo "event_name:        ${{ github.event_name }}"
+          echo "run.conclusion:    ${{ github.event.workflow_run.conclusion || 'N/A' }}"
+          echo "run.event:         ${{ github.event.workflow_run.event || 'N/A' }}"
+          echo "run.head_branch:   ${{ github.event.workflow_run.head_branch || 'N/A' }}"
+          echo "run.head_sha:      ${{ github.event.workflow_run.head_sha || 'N/A' }}"
+
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Derive IMAGE_TAG (from workflow_run or manual)
+        shell: bash
+        env:
+          HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
+          HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
+          EVENT_NAME: ${{ github.event_name }}
+        run: |
+          set -euo pipefail
+          if [ "$EVENT_NAME" = "workflow_dispatch" ]; then
+            # chạy tay: mặc định tag theo short SHA của commit hiện tại
+            echo "IMAGE_TAG=${GITHUB_SHA::12}" >> $GITHUB_ENV
+          else
+            # workflow_run: nếu là tag vX.Y.Z -> IMAGE_TAG = X.Y.Z, ngược lại = shortSHA của head_sha
+            if [[ "${HEAD_BRANCH}" =~ ^v([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
+              echo "IMAGE_TAG=${HEAD_BRANCH#v}" >> $GITHUB_ENV
+            else
+              SHORT="${HEAD_SHA:0:12}"
+              echo "IMAGE_TAG=${SHORT}" >> $GITHUB_ENV
+            fi
+          fi
+          echo "IMAGE_TAG=$IMAGE_TAG"
+
+      - name: Compute .env SHA256
+        run: |
+          if [ ! -f .env ]; then
+            echo "::error::.env không tồn tại trong repo tại thời điểm deploy."
+            exit 1
+          fi
+          echo "ENV_SHA=$(sha256sum .env | awk '{print $1}')" >> $GITHUB_ENV
+
+      - name: Prepare deploy bundle
+        run: |
+          mkdir -p deploy_bundle
+          cp -v .env deploy_bundle/.env
+          cp -v docker-compose.prod-infra.yml deploy_bundle/
+          cp -v docker-compose.prod-services.yml deploy_bundle/
+
+          mkdir -p ops
+          cat > ops/deploy.sh <<'EOS'
+          #!/usr/bin/env bash
+          set -euo pipefail
+
+          DEPLOY_DIR="${DEPLOY_DIR:-$HOME/codecampus}"
+          cd "$DEPLOY_DIR"
+
+          cp -f .env ".env.bak.$(date +%Y%m%d-%H%M%S)" || true
+
+          if grep -q '^IMAGE_TAG=' .env; then
+            sed -i "s/^IMAGE_TAG=.*/IMAGE_TAG=${IMAGE_TAG}/" .env
+          else
+            echo "IMAGE_TAG=${IMAGE_TAG}" >> .env
+          fi
+
+          set -a
+          source .env
+          set +a
+
+          compose() {
+            if docker compose version >/dev/null 2>&1; then
+              docker compose "$@"
+            else
+              docker-compose "$@"
+            fi
+          }
+
+          if [ -n "${DOCKERHUB_USER:-}" ] && [ -n "${DOCKERHUB_TOKEN:-}" ]; then
+            echo "docker login Docker Hub..."
+            echo "$DOCKERHUB_TOKEN" | docker login -u "$DOCKERHUB_USER" --password-stdin
+          else
+            echo "Thiếu DOCKERHUB_USER/DOCKERHUB_TOKEN trong .env (image public thì vẫn OK)."
+          fi
+
+          echo "Hạ tầng (idempotent)..."
+          compose -f docker-compose.prod-infra.yml --env-file .env up -d
+
+          echo "Pull images tag ${IMAGE_TAG}..."
+          compose -f docker-compose.prod-services.yml --env-file .env pull
+
+          echo "Up services..."
+          compose -f docker-compose.prod-services.yml --env-file .env up -d
+
+          echo "Prune dangling images..."
+          docker image prune -f || true
+
+          echo "Deploy xong."
+          EOS
+          chmod +x ops/deploy.sh
+          cp -v ops/deploy.sh deploy_bundle/
+
+      - name: Upload bundle to server
+        uses: appleboy/[email protected]
+        with:
+          host: ${{ secrets.SSH_HOST }}
+          username: ${{ secrets.SSH_USER }}
+          key: ${{ secrets.SSH_PRIVATE_KEY }}
+          port: ${{ secrets.SSH_PORT || 22 }}
+          source: "deploy_bundle/*"
+          target: "${{ secrets.DEPLOY_DIR || '~' }}/codecampus"
+          overwrite: true
+          strip_components: 1
+
+      - name: Verify .env identical & run deploy
+        uses: appleboy/[email protected]
+        env:
+          IMAGE_TAG: ${{ env.IMAGE_TAG }}
+          ENV_SHA: ${{ env.ENV_SHA }}
+        with:
+          host: ${{ secrets.SSH_HOST }}
+          username: ${{ secrets.SSH_USER }}
+          key: ${{ secrets.SSH_PRIVATE_KEY }}
+          port: ${{ secrets.SSH_PORT || 22 }}
+          script_stop: true
+          script: |
+            set -euo pipefail
+            DEPLOY_DIR="${DEPLOY_DIR:-${{ secrets.DEPLOY_DIR || '$HOME' }}/codecampus}"
+            mkdir -p "$DEPLOY_DIR"
+            cd "$DEPLOY_DIR"
+
+            if [ ! -f .env ]; then
+              echo "::error::Không thấy $DEPLOY_DIR/.env trên server."
+              exit 1
+            fi
+            SERVER_SHA=$(sha256sum .env | awk '{print $1}')
+            echo "Local  .env sha: $ENV_SHA"
+            echo "Server .env sha: $SERVER_SHA"
+            if [ "$SERVER_SHA" != "$ENV_SHA" ]; then
+              echo "::error::.env trên server KHÁC repo. Hủy deploy để tránh sai lệch."
+              exit 1
+            fi
+
+            IMAGE_TAG="${IMAGE_TAG:-latest}" DEPLOY_DIR="$DEPLOY_DIR" bash ./deploy.sh

deploy-ssh-yunomix2834

@@ -0,0 +1,8 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACBFv/Tc518gRoLO3t4Lw8Kgm46mShdhN1wpJ72nIELm5gAAAKj/gA4A/4AO
+AAAAAAtzc2gtZWQyNTUxOQAAACBFv/Tc518gRoLO3t4Lw8Kgm46mShdhN1wpJ72nIELm5g
+AAAECyfOvS80b556EouPld5YPW2SlRqvYchAQxCjvsjWd1TUW/9NznXyBGgs7e3gvDwqCb
+jqZKF2E3XCknvacgQubmAAAAIGRlcGxveS1zc2gteXVub21peDI4MzRAZ21haWwuY29tAQ
+IDBAU=
+-----END OPENSSH PRIVATE KEY-----

deploy-ssh-yunomix2834.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEW/9NznXyBGgs7e3gvDwqCbjqZKF2E3XCknvacgQubm [email protected]

scripts/create-key.bash

@@ -0,0 +1,21 @@
+# Tạo thư mục ~/.ssh (nếu chưa có) và set quyền đúng
+mkdir -p ~/.ssh && chmod 700 ~/.ssh
+
+# Tạo file deploy-ssh-yunomix2834.pub với nội dung của public key
+cat > ~/.ssh/deploy-ssh-yunomix2834.pub <<'EOF'
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEW/9NznXyBGgs7e3gvDwqCbjqZKF2E3XCknvacgQubm [email protected]
+EOF
+
+# Set permission cho file public key
+chmod 644 ~/.ssh/deploy-ssh-yunomix2834.pub
+
+# Tạo authorized_keys nếu chưa có
+touch ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys
+
+# Chỉ thêm nếu chưa tồn tại để tránh trùng lặp
+grep -qxF -f ~/.ssh/deploy-ssh-yunomix2834.pub ~/.ssh/authorized_keys \
+  || cat ~/.ssh/deploy-ssh-yunomix2834.pub >> ~/.ssh/authorized_keys
+
+# Kiểm tra nhanh
+ssh-keygen -lf ~/.ssh/deploy-ssh-yunomix2834.pub
+# sẽ in fingerprint của key để xác nhận

scripts/generate-deploy-key.sh

@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+KEY_NAME="${1:-deploy-ssh-yunomix2834}"
+EMAIL_HINT="${2:-deploy-ssh-yunomix2834@gmail.com}"
+
+umask 077
+ssh-keygen -t ed25519 -C "$EMAIL_HINT" -f "./${KEY_NAME}" -N ""
+
+echo
+echo "Created key pair:"
+echo "  Private: ./${KEY_NAME}"
+echo "  Public : ./${KEY_NAME}.pub"
+echo
+echo "Trên server, thêm public key vào ~/.ssh/authorized_keys:"
+echo "   cat ${KEY_NAME}.pub >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"
+echo
+echo "Trong GitHub → Secrets, set SSH_PRIVATE_KEY = nội dung file ${KEY_NAME}"

generateKeyStore.sh scripts/generate-key-store.shgenerateKeyStore.sh renamed to scripts/generate-key-store.sh

@@ -0,0 +1,17 @@
+# Docker + Compose plugin
+sudo apt-get update
+sudo apt-get install -y ca-certificates curl gnupg
+sudo install -m 0755 -d /etc/apt/keyrings
+curl -fsSL https://download.docker.com/linux/$(. /etc/os-release; echo "$ID")/gpg \
+ | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+echo \
+  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] \
+  https://download.docker.com/linux/$(. /etc/os-release; echo "$ID") \
+  $(. /etc/os-release; echo "$VERSION_CODENAME") stable" \
+ | sudo tee /etc/apt/sources.list.d/docker.list >/dev/null
+sudo apt-get update
+sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
+
+# Thư mục deploy
+mkdir -p /opt/codecampus
+sudo chown -R "$USER":"$USER" /opt/codecampus